From f6926d70cd11e8e1002518b9ce532e2ef40e6a8f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 18 Apr 2018 16:35:43 -0400 Subject: [PATCH] Logstash Module - change docker mounts --- salt/logstash/OLDinit.sls | 168 ++++++++++++++++++++++++++++++++++++++ salt/logstash/init.sls | 59 +------------ 2 files changed, 171 insertions(+), 56 deletions(-) create mode 100644 salt/logstash/OLDinit.sls diff --git a/salt/logstash/OLDinit.sls b/salt/logstash/OLDinit.sls new file mode 100644 index 000000000..ac3a8adea --- /dev/null +++ b/salt/logstash/OLDinit.sls @@ -0,0 +1,168 @@ +# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Logstash Section - Decide which pillar to use +{% if grains['role'] == 'so-sensor' %} + +{% set lsheap = salt['pillar.get']('sensor:lsheap', '') %} +{% set lsaccessip = salt['pillar.get']('sensor:lsaccessip', '') %} + +{% else %} + +{% set lsheap = salt['pillar.get']('master:lsheap', '') %} +{% set lsaccessip = salt['pillar.get']('master:lsaccessip', '') %} +{% set freq = salt['pillar.get']('master:freq', '0') %} +{% set dstats = salt['pillar.get']('master:domainstats', '0') %} + +{% endif %} + +# Create the logstash group +logstashgroup: + group.present: + - name: logstash + - gid: 931 + +# Add the logstash user for the jog4j settings +logstash: + user.present: + - uid: 931 + - gid: 931 + - home: /opt/so/conf/logstash + +# Create a directory for people to drop their own custom parsers into +lscustdir: + file.directory: + - name: /opt/so/conf/logstash/pipeline + - user: 931 + - group: 939 + - makedirs: True + +# Copy down all the configs including custom - TODO add watch restart +lssync: + file.recurse: + - name: /opt/so/conf/logstash + - source: salt://logstash/files + - user: 931 + - group: 939 + - template: jinja + +# Create the import directory +importdir: + file.directory: + - name: /nsm/import + - user: 931 + - group: 939 + - makedirs: True + +# Create the logstash data directory +nsmlsdir: + file.directory: + - name: /nsm/logstash + - user: 931 + - group: 939 + - makedirs: True + +# Create the log directory +lslogdir: + file.directory: + - name: /opt/so/log/logstash + - user: 931 + - group: 939 + - makedirs: True + +{% if freq == 0 and dstats == 0 %} + +/opt/so/conf/logstash/rulesets: + file.managed: + - contents: + - FREQ=0 + - DSTATS=0 + +removefreq: + file.absent: + - name: /opt/so/conf/logstash/pipeline/*_postprocess_freq_analysis_*.conf + +removedstats1: + file.absent: + - name: /opt/so/conf/logstash/pipeline/8007_postprocess_dns_top1m_tagging.conf + +removedstats2: + file.absent: + - name: /opt/so/conf/logstash/pipeline/8008_postprocess_dns_whois_age.conf + +{% elif freq == 1 and dstats == 0 %} +/opt/so/conf/logstash/rulesets: + file.managed: + - contents: + - FREQ=1 + - DSTATS=0 + +removedstats1: + file.absent: + - name: /opt/so/conf/logstash/pipeline/8007_postprocess_dns_top1m_tagging.conf +removedstats2: + file.absent: + - name: /opt/so/conf/logstash/pipeline/8008_postprocess_dns_whois_age.conf + +{% elif freq == 1 and dstats == 1 %} +/opt/so/conf/logstash/rulesets: + file.managed: + - contents: + - FREQ=1 + - DSTATS=1 + +{% elif freq == 0 and dstats == 1 %} +/opt/so/conf/logstash/rulesets: + file.managed: + - contents: + - FREQ=0 + - DSTATS=1 + +removefreq: + file.absent: + - name: /opt/so/conf/logstash/pipeline/*_postprocess_freq_analysis_*.conf + +{% endif %} + +# Add the container + +so-logstash: + docker_container.running: + - image: toosmooth/so-logstash:test2 + - hostname: logstash + - name: logstash + - user: logstash + - environment: + - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} + - port_bindings: + - {{ lsaccessip }}:5044:5044 + - {{ lsaccessip }}:6050:6050 + - {{ lsaccessip }}:6051:6051 + - {{ lsaccessip }}:6052:6052 + - {{ lsaccessip }}:6053:6053 + - {{ lsaccessip }}:9600:9600 + - binds: + - /opt/so/conf/logstash/log4j2.properties:/usr/share/logstash/config/log4j2.properties:ro + - /opt/so/conf/logstash/logstash.yml:/usr/share/logstash/config/logstash.yml:ro + - /opt/so/conf/logstash/logstash-template.json:/logstash-template.json:ro + - /opt/so/conf/logstash/beats-template.json:/beats-template.json:ro + - /opt/so/conf/logstash/pipeline:/usr/share/logstash/pipeline:rw + - /opt/so/conf/logstash/rulesets:/usr/share/logstash/rulesets:ro + - /opt/so/rules:/etc/nsm/rules:ro + - /nsm/import:/nsm/import:ro + - /nsm/logstash:/usr/share/logstash/data:rw + - /opt/so/log/logstash:/var/log/logstash:rw + - /sys/fs/cgroup:/sys/fs/cgroup:ro + - network_mode: so-elastic-net diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index ac3a8adea..68a53de8e 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -44,7 +44,7 @@ logstash: # Create a directory for people to drop their own custom parsers into lscustdir: file.directory: - - name: /opt/so/conf/logstash/pipeline + - name: /opt/so/conf/logstash/custom - user: 931 - group: 939 - makedirs: True @@ -82,60 +82,6 @@ lslogdir: - group: 939 - makedirs: True -{% if freq == 0 and dstats == 0 %} - -/opt/so/conf/logstash/rulesets: - file.managed: - - contents: - - FREQ=0 - - DSTATS=0 - -removefreq: - file.absent: - - name: /opt/so/conf/logstash/pipeline/*_postprocess_freq_analysis_*.conf - -removedstats1: - file.absent: - - name: /opt/so/conf/logstash/pipeline/8007_postprocess_dns_top1m_tagging.conf - -removedstats2: - file.absent: - - name: /opt/so/conf/logstash/pipeline/8008_postprocess_dns_whois_age.conf - -{% elif freq == 1 and dstats == 0 %} -/opt/so/conf/logstash/rulesets: - file.managed: - - contents: - - FREQ=1 - - DSTATS=0 - -removedstats1: - file.absent: - - name: /opt/so/conf/logstash/pipeline/8007_postprocess_dns_top1m_tagging.conf -removedstats2: - file.absent: - - name: /opt/so/conf/logstash/pipeline/8008_postprocess_dns_whois_age.conf - -{% elif freq == 1 and dstats == 1 %} -/opt/so/conf/logstash/rulesets: - file.managed: - - contents: - - FREQ=1 - - DSTATS=1 - -{% elif freq == 0 and dstats == 1 %} -/opt/so/conf/logstash/rulesets: - file.managed: - - contents: - - FREQ=0 - - DSTATS=1 - -removefreq: - file.absent: - - name: /opt/so/conf/logstash/pipeline/*_postprocess_freq_analysis_*.conf - -{% endif %} - # Add the container so-logstash: @@ -158,8 +104,9 @@ so-logstash: - /opt/so/conf/logstash/logstash.yml:/usr/share/logstash/config/logstash.yml:ro - /opt/so/conf/logstash/logstash-template.json:/logstash-template.json:ro - /opt/so/conf/logstash/beats-template.json:/beats-template.json:ro - - /opt/so/conf/logstash/pipeline:/usr/share/logstash/pipeline:rw + - /opt/so/conf/logstash/custom:/usr/share/logstash/pipeline.custom:ro - /opt/so/conf/logstash/rulesets:/usr/share/logstash/rulesets:ro + - /opt/so/conf/logstash/conf.enabled.txt:/usr/share/logstash/conf.enabled.txt:ro - /opt/so/rules:/etc/nsm/rules:ro - /nsm/import:/nsm/import:ro - /nsm/logstash:/usr/share/logstash/data:rw